none
How to import DSIA STIG baselines/templates into SCM?

    Question

  • Hello,

    I have been playing with both Security Compliance Manager as well as System Center ConfigMgr Extensions for SCAP tools to determine how I can import DISA STIG Inf files. 

    My end goal is to be able to use SCCM DCM to check/manage compliance for some of these pre-defined security standards such as DISA STIGs.

    I read in an earlier post that MSFT is currently looking into allowing INF imports into SCM.  Is there any idea on when this might be available or IS there another approach I can take?

    Thank you,

    Manoj

    Tuesday, November 9, 2010 8:12 PM

Answers

All replies

  • We have built GPO Import into SCM v2, which will support INFs inside of a “GPO Backup”. Check out my blog here:

    http://blogs.technet.com/b/secguide/archive/2011/06/27/scm-v2-beta-new-baselines-available-to-download.aspx

    -jeff

    Wednesday, December 1, 2010 11:52 PM
  • Jason/ Experts,

    I see you marked this as answer. I am trying to use Windows 2008 R2 STIG -Version 1, Release 12

    from http://iase.disa.mil/stigs/os/windows/Pages/2008r2.aspx. On extracting the file u_windows_2008_r2_v1r12_stig, I get the folders and files as below:

    I extract the U_Active_Directory_Domain_v2r4_Manual_STIG and see the files as DoD-DISA-logos-as-JPEG(jpeg), STIG_unclass (XSL) and U_Active_Directory_Domain_v2r4_STIG_Manual-xccdf (XML)

    I am using Microsoft Security Compliance Manager (3.0.xx) to import the GPO. The DC folder has no .inf files that Microsoft claims to be load to SCM (from v2 onwards). However there is a templates folder, Templates - 2008 R2 that has setup files as seen below. These cannot be loaded to SCM with the Import GPO function.

    Now I am not sure how this is marked an answer and I can't find a solutions from Microsoft on how to import the settings to load the DISA STIGS into a Group Policy. If the solution is to MANUALLY enter the policies and export into a GPO Pack and Import, it is time consuming though it can be done and will take considerable amount of time. I can't see Microsoft providing that as a solution. So how could I get this? Is there a tool to do this?

    I will appreciate a solution/ suggestion/ advice that will enable us to load the DISA STIGS to group policy that can be applied to AD DC.

    Thanks


    TIA TP

    Saturday, August 23, 2014 10:08 PM
  • I think many of us in the DOD are asking for the same thing. This is a great tool for compliance (validation and remediation), but we have no way of getting the STIGS into SCCM without manually bringing it in... I myself am working on this manually.... its a pain, and stinks because the STIG will update every quarter, so I will have to make manual changes every quarter.
    Tuesday, September 9, 2014 5:33 PM
  • Actually, Microsoft is working on a new version of the SCAP Extensions for ConfigMgr 2012 and expect it to fully support DISA STIGs.  Our rep mentioned that this was in the works and I emailed the System Center team to verify as I too have been wanting this functionality for some time.  Below was their response:

    "Yes we are working on a version of the SCAP Extensions for System Center 2012 Configuration Manager.  We do expect to support DISA's STIG content. Specifically we will support the conversion of currently published DISA (STIG) content to a DCM (configuration data) cab for import to Configuration Manager."

    Unfortunately, they do not have a release date yet, but sounds like it's coming!

    Friday, September 19, 2014 6:01 PM
  • Thanks for sharing the news...

    TIA TP

    Saturday, September 20, 2014 11:29 AM
  • Could you ask them if the STIG conversion functionality will also be available in SCM 3? I work with standalone systems and SCCM isn't an option.  I've already gone through the manual process of STIGing the SCM Baselines and would appreciate an automated, verifiable way of doing it.

    I'd like to pass on my thanks to the SCM team for putting it together-it's been an invaluable tool and made configuring/reconfiguring standalones much easier.

    Tuesday, October 7, 2014 5:20 PM
  • What is the format of the INF so we convert the Excel, XML and JSON exports of the STIG?
    Monday, November 24, 2014 10:57 PM
  • Does anyone have any updates on this? I work at a small federal agency and don't have the resources to manually create GPOs from the XML files, so we're still running old versions of software...  :-(

    Thursday, October 15, 2015 9:26 PM
  • Does anyone have any updates on this? I work at a small federal agency and don't have the resources to manually create GPOs from the XML files, so we're still running old versions of software...  :-(

    Wondering if you ever found an answer to this. I have tried everything to import the .cab file created from scaptodcm. I used the xml files extracted from both DISA and USCG. Neither will import after converting them with scaptodcm.exe.

    I keep getting "The package appears to be missing the required component 'package.xml'.
    Double-click the file to view more details about this error."

    William

    Tuesday, December 1, 2015 3:24 AM
  • Wondering if you ever found an answer to this. I have tried everything to import the .cab file created from scaptodcm. I used the xml files extracted from both DISA and USCG. Neither will import after converting them with scaptodcm.exe.

    I keep getting "The package appears to be missing the required component 'package.xml'.
    Double-click the file to view more details about this error."

    William

    I had to manually create the GPO for IE 11.  We should start a repository for things like this, for the benefit of the community...
    Tuesday, December 1, 2015 3:27 AM
  • That would be a great idea. Considering the painful process of manually stigging each of the categories for an enterprise environment. What gets me is the directions for the tool states it should be able to convert xccd.xml files from disa/uscg but then it doesn't. Maybe my command line parameters are wrong........ This is frustrating.
    Tuesday, December 1, 2015 3:31 AM
  • Wondering if there has been any update in this are as well. We are planning to deploy DISA STIGs for Windows 10, and same as before there is no good way to import the DISA STIGs into SCM or a actual GPO because they don't provide a GPO Backup. Seems the only option is to manually create a GPO based on the settings, which takes a very long time.
    Monday, January 25, 2016 8:42 PM
  • Hi,

    I would like to second any movement to import STIG into SCM.

    Would be a huge help.

    Thursday, March 10, 2016 7:09 PM
  • Jeff,

    I am needing to harden my DCs by DISA STIGs. Is this doable? If so, how? Thanks!


    • Edited by PowaySean Monday, March 20, 2017 8:46 PM
    Monday, March 20, 2017 8:45 PM
  • Seems the 3.0 version converts the Benchmark.xml and cpe-dictionary.xml files just fine. I am able to then import the cab into SCCM as baseline and individual CIs......

    That works for Windows Server 2012 / 2012R2 but not for Server 2008R2 MS for some reason. Converts fine without error. But throws an error on importing into SCCM. I haven't tried any of the other OS's or Application stigs.

    William

    Tuesday, August 1, 2017 4:28 PM